#coding:utf-8
#code by foRK
#QQ:261496481

import random
import sys
import time

#测试数据
overflows = ['A' * 100, 'A' * 500, 'A' * 1000, 'A' * 2000, 'A' * 3000,
			'A' * 4000, '\0x41' * 1000, '\0x99' * 1000, 'http://' + 'A' * 1000, ] #9
			
fmtstring = ['%n%n%n%n%n', '%p%p%p%p%p', '%s%s%s%s%s', '%d%d%d%d%d', '%x%x%x%x%x',
			'%s%p%x%d', '%.1024d', '%.1025d', '%.2048d', '%.2049d', '%.4096d', '%.4097d',
			'%99999999999s', '%08x', '%%20n', '%%20p', '%%20s', '%%20d', '%%20x',
			'%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%',
			'\0xCD' * 50, '\0xCB' * 50] #22
			
numbers = ['0', '-0', '1', '-1', '32767', '-32768', '2147483647', '-2147483647',
			'2147483648', '-2147483648', '4294967294', '4294967295', '4294967296', '357913942',
			'-357913942', '536870912', '-536870912', '5e-324', '1.79769313486231E+308',
			'3.39519326559384E-313', '99999999999', '-99999999999', '0x100', '0x1000',
			'0x3fffffff', '0x7ffffffe', '0x7fffffff', '0x80000000', '0xffff', '0xfffffffe',
			'0xfffffff', '0xffffffff', '0x10000', '0x100000', '0x99999999', '65535', '65536',
			'65537', '16777215', '16777216', '16777217', '-268435455'] #42

#DOM
domwindow = ['outerHeight', 'outerWidth', 'status', 'moveBy', 'moveTo',
			'resizeBy', 'resizeTo', 'scrollBy', 'scrollTo', 'setInterval', 'setTimeout']
#do <body onload="window.x=x"> (first 3) & others <body onload="window.x(x,x)">
#window.resizeX/scrollX has 2 params & setX has 2
domdocument = ['cookie', 'getElementById', 'getElementsByName', 'getElementsByTagName',
			'open', 'write', 'writeIn']
domhistory = ['go']
domlocation = ['hash', 'host', 'hostname', 'href', 'pathname', 'port', 'protocol',
			'search', 'assign', 'replace']
object = []
method = []

#HTML
htmlnewtable = []
htmllable = ['body', 'p', 'hr', 'font', 'bdo', 'pre', 'a', 'link', 'frame', 'frameset', 'iframe', 'form', 'input', 'textarea', 'button',]  #15
htmlbody = ['alink','background','bgcolor','link','text','vlink','class','id','style','title','dir','lang'] #12
htmlp = ['align','class','id','style','title','dir','lang','accesskey','tabindex']
htmlhr = ['align','noshade','size','width','class','id','style','title','dir','lang','accesskey','tabindex']
htmlfont = ['color','face','size','class','id','style','title','dir','lang','accesskey','tabindex']
htmlbdo = ['class','id','style','title','dir','lang','accesskey','tabindex']
htmlpre = ['width','class','id','style','title','dir','lang','accesskey','tabindex']
htmla = ['charet','coords','href','hreflang','name','rel','rev','shape','target','type','class','id']
htmllink = ['charet','href','hreflang','media','rel','rev','target','type','class','id','style','title']
htmlframe = ['frameborder','longdesc', 'marginheight', 'marginwidth', 'name', 'noresize', 'scrolling', 'src', 'id', 'class', 'title', 'style']
htmlframeset = ['cols', 'rows', 'id', 'class', 'title', 'style', 'dir', 'lang', 'accesskey', 'tabindex']
htmliframe = ['align', 'frameborder', 'height', 'longdesc', 'marginheight', 'marginwidth', 'name', 'scrolling', 'src', 'width', 'id', 'class', 'title', 'style']
htmlform = ['action', 'accept', 'accept-charset', 'enctype', 'method', 'name', 'target', 'class', 'id', 'style', 'title']
htmlinput = ['accept', 'align', 'alt', 'checked', 'disabled', 'maxlength', 'name', 'readonly', 'size', 'src', 'type']
htmltextarea = ['cols', 'rows', 'disabled','name', 'readonly', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex']
htmlbutton = ['disabled', 'name', 'type', 'value', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex']
htmltag = htmlbody + htmlp + htmlhr + htmlfont + htmlbdo + htmlpre + htmla + htmllink + htmlframe + htmlframeset + htmliframe + htmlform + htmlinput +htmltextarea + htmlbutton

#SYSTEM
syspath = ['C:\windows\system32\calc.exe', 'net user', 'net user > d:\list.txt',
			'D:\..\...\....', 'D:\\'+'A'*1000, ] #5


#JavaScript
jstlfuncs = ['decodeURI', 'decodeURIComponent', 'encodeURI', 'encodeURIComponent',
			'escape', 'unescape', 'eval', 'isFinite', 'inNaN', 'Number', 'parseFloat',
			'parseInt', 'String']
jsstringmtds = ['strng.anchor', 'strng.charAt', 'strng.charCodeAt', 'strng.concat',
			'strng.fontcolor', 'strng.fontsize', 'strng.fromCharCode', 'strng.indexOf',
			'strng.lastIndexOf', 'strng.link','strng.link', 'strng.match', 'strng.replace',
			'strng.search', 'strng.slice', 'strng.split', 'strng.substr', 'strng.substring']
jsdatemtds = ['Date.parse', 'dte.setDate', 'dte.setFullYear', 'dte.setHours', 'dte.setMilliseconds',
			'dte.setMinutes', 'dte.setMonth', 'dte.Seconds', 'dte.setTime', 'dte.setUTCDate', 
			'dte.setUTCMonth', 'dte.setUTCFullYear', 'dte.setUTCHours', 'dte.setUTCMinutes',
			'dte.setUTCSeconds', 'dte.setUTCMilliseconds', 'dte.setYear']
jsmathmtds = ['Math.abs', 'Math.acos', 'Math.asin', 'Math.atan', 'Math.atan2', 'Math.ceil',
			'Math.cos', 'Math.exp', 'Math.floor', 'Math.log', 'Math.max', 'Math.min',
			'Math.pow', 'Math.round', 'Math.sin', 'Math.sqrt', 'Math.tan']
jsnumbermtds = ['numbr.toExponential', 'numbr.toFixed', 'numbr.toPercision', 'numbr.toString']

cssbegin = '<style type="text/css">'
cssend = '</style>' + "\n" + '</head>'

htmlbegin = '<html>'
htmlend = '</html>'

scriptbegin  = '<script type="text/javascript">'
scriptend    = '</script>'
jsvarstrng   = 'var strng = "test";'
jsvardte     = 'var dte = new Date();'
jsvarnumbr   = 'var numbr = new Number(1000);'

refresh1     = '<head><meta http-equiv="refresh" content="1; url=';
refresh2     = '"></head>'

tagbegin = '<'
tagend = '>'

if len(sys.argv) < 2:
	print 'Version 0.1'
	print 'Browser Fuzzer 2 by python'
	print 'Usage: %s [output directory] [Mod] [Num]' % sys.argv[0]
	print '1.HTML Fuzzing:Tag tree' #标签深度的变异,标签层次过深,递归处理函数层次过多,导致桟溢出
	print '2.HTML Fuzzing:Tag attributes' #标签属性变异,属性值为空,数目过大导致桟异常和对空指针操作
	print '3.HTML Fuzzing:Tag text'  #内容长度过大,导致递归层次过多,导致桟溢出
	print '4.HTML Fuzzing:HTML Encoding' #html编码变异,改变网页的实际编码及charset字段的编码
	
PATH = sys.argv[1] #路径
MOD = sys.argv[2] #模式
NUM = sys.argv[3] #数量


if __name__ == '__main__':
	path = PATH
	num = int(NUM)
	if MOD == '1':
		i = 0
		while i < num+1:
			htmlname = "%d.html" % (i)
			htmlnameto = "%d.html" % (i+1)
			f = open(path+'\\'+htmlname, "w")
			fs = fmtstring[random.randint(0, 21)]
			nb = numbers[random.randint(0, 41)]
			sp = syspath[random.randint(0, 4)]
			of = overflows[random.randint(0, 8)]
			#
			lable = '<'+htmllable[0]+' '+htmlbody[random.randint(0, 11)]+'="'+fs+'">'+"Fuck Me"+'</'+htmllable[0]+'>'
			#
			string = htmlbegin+'\n'+refresh1+htmlnameto+refresh2+'\n'+lable+'\n'+htmlend
			f.write(string)
			i = i + 1
			f.close()
		print "output OK ----"

#<tag attr="val">123<tag attr="val">456 <tag attr="val">789</tag> </tag></tag>

	if MOD == '2':
		i = 0
		while i < num+1:
			htmlname = "%d.html" % (i)
			htmlnameto = "%d.html" % (i+1)
			f = open(path+'\\'+htmlname, "w")
			#
			s = fmtstring[random.randint(0, 21)]
			n = numbers[random.randint(0, 41)]
			sy = syspath[random.randint(0, 4)]
			of = overflows[random.randint(0,8)]
			t = tag[random.randint(0,112)]
			#
			p1 = [random.randint(0,50) for line in range(6)]
			a0,a1,a2 = attr[p1[0]],attr[p1[1]],attr[p1[2]]
			a3,a4,a5 = attr[p1[3]],attr[p1[4]],attr[p1[5]]
			#
			s0 = a0+'="'+sy+'"'+' '+a0+'="'+of+'"'+' '+a0+'="'+n+'"'+' '+a0+'="'+s+'"'+' '+a0+'="'+t+'"'+' '
			s1 = a1+'="'+sy+'"'+' '+a1+'="'+of+'"'+' '+a1+'="'+n+'"'+' '+a1+'="'+s+'"'+' '+a1+'="'+t+'"'+' '
			s2 = a2+'="'+sy+'"'+' '+a2+'="'+of+'"'+' '+a2+'="'+n+'"'+' '+a2+'="'+s+'"'+' '+a2+'="'+t+'"'+' '
			s3 = a3+'="'+sy+'"'+' '+a3+'="'+of+'"'+' '+a3+'="'+n+'"'+' '+a3+'="'+s+'"'+' '+a3+'="'+t+'"'+' '
			s4 = a4+'="'+sy+'"'+' '+a4+'="'+of+'"'+' '+a4+'="'+n+'"'+' '+a4+'="'+s+'"'+' '+a4+'="'+t+'"'+' '
			s5 = a5+'="'+sy+'"'+' '+a5+'="'+of+'"'+' '+a5+'="'+n+'"'+' '+a5+'="'+s+'"'+' '+a5+'="'+t+'"'+' '
			s6 = '<'+t+' '+s0+s1+s2+s3+s4+s5+'>'+'Fuck Me'+'</'+t+'>'
			string = htmlbegin+'\n'+refresh1+htmlnameto+refresh2+'\n'+s6+'\n'+htmlend
			f.write(string)
			i = i + 1
			f.close()
		print "output OK ----"
		
#	if MOD == '3':
